Build 2602262049: split magent settings and harden local login

backend/app/db.py

@@ -1162,12 +1162,94 @@ def increment_signup_invite_use(invite_id: int) -> None:
 
 
 def verify_user_password(username: str, password: str) -> Optional[Dict[str, Any]]:
-    user = get_user_by_username(username)
-    if not user:
+    # Resolve case-insensitive duplicates safely by only considering local-provider rows.
+    with _connect() as conn:
+        rows = conn.execute(
+            """
+            SELECT id, username, password_hash, role, auth_provider, jellyseerr_user_id,
+                   created_at, last_login_at, is_blocked, auto_search_enabled,
+                   invite_management_enabled, profile_id, expires_at, invited_by_code, invited_at,
+                   jellyfin_password_hash, last_jellyfin_auth_at
+            FROM users
+            WHERE username = ? COLLATE NOCASE
+            ORDER BY
+                CASE WHEN username = ? THEN 0 ELSE 1 END,
+                id ASC
+            """,
+            (username, username),
+        ).fetchall()
+    if not rows:
         return None
-    if not verify_password(password, user["password_hash"]):
-        return None
-    return user
+    for row in rows:
+        provider = str(row[4] or "local").lower()
+        if provider != "local":
+            continue
+        if not verify_password(password, row[2]):
+            continue
+        return {
+            "id": row[0],
+            "username": row[1],
+            "password_hash": row[2],
+            "role": row[3],
+            "auth_provider": row[4],
+            "jellyseerr_user_id": row[5],
+            "created_at": row[6],
+            "last_login_at": row[7],
+            "is_blocked": bool(row[8]),
+            "auto_search_enabled": bool(row[9]),
+            "invite_management_enabled": bool(row[10]),
+            "profile_id": row[11],
+            "expires_at": row[12],
+            "invited_by_code": row[13],
+            "invited_at": row[14],
+            "is_expired": _is_datetime_in_past(row[12]),
+            "jellyfin_password_hash": row[15],
+            "last_jellyfin_auth_at": row[16],
+        }
+    return None
+
+
+def get_users_by_username_ci(username: str) -> list[Dict[str, Any]]:
+    with _connect() as conn:
+        rows = conn.execute(
+            """
+            SELECT id, username, password_hash, role, auth_provider, jellyseerr_user_id,
+                   created_at, last_login_at, is_blocked, auto_search_enabled,
+                   invite_management_enabled, profile_id, expires_at, invited_by_code, invited_at,
+                   jellyfin_password_hash, last_jellyfin_auth_at
+            FROM users
+            WHERE username = ? COLLATE NOCASE
+            ORDER BY
+                CASE WHEN username = ? THEN 0 ELSE 1 END,
+                id ASC
+            """,
+            (username, username),
+        ).fetchall()
+    results: list[Dict[str, Any]] = []
+    for row in rows:
+        results.append(
+            {
+                "id": row[0],
+                "username": row[1],
+                "password_hash": row[2],
+                "role": row[3],
+                "auth_provider": row[4],
+                "jellyseerr_user_id": row[5],
+                "created_at": row[6],
+                "last_login_at": row[7],
+                "is_blocked": bool(row[8]),
+                "auto_search_enabled": bool(row[9]),
+                "invite_management_enabled": bool(row[10]),
+                "profile_id": row[11],
+                "expires_at": row[12],
+                "invited_by_code": row[13],
+                "invited_at": row[14],
+                "is_expired": _is_datetime_in_past(row[12]),
+                "jellyfin_password_hash": row[15],
+                "last_jellyfin_auth_at": row[16],
+            }
+        )
+    return results
 
 
 def set_user_password(username: str, password: str) -> None: